INDIVIDUAL INFORMATION MANAGING DEVICE 

BACKGROUND OF THE INVENTION 
Field of the Invention 

The present invention relates to an individual 
information managing device connected to a communication line 
network, for managing individual information. 
Description of the Related Art 

In recent years, there has been a rapid progress in the 
utilization of the Internet that connects between personal 
computers. For example, in the medical field, a data center 
for managing electronic medical sheet system has been utilized, 
and this data center has been accessed through the Internet. 
Thus, the information management system itself has been changed 
in various fields. 

Under the social environment that has been changing 
rapidly, there has been an urgent requirement for building up 
a system that can prevent individual information, like 
individual medical information in the electronic medical sheet 
system, from being carelessly disclosed or made open through 
the Internet, thereby to avoid giving unexpected disadvantages 
to the individuals . 

SUMMARY OF THE INVENTION 
In the light of the above situation, it is an object of 
the present invention to provide an individual information 
managing device that protects individual information. 



1 



In order to achieve the above object, according to the 
present invention, there is provided an individual information 
managing device connected to a communication line network, for 
managing individual information, the device comprising: an 
individual information storing section in which information on 
each individual has been registered; a disclosure procedure 
storing section in which an information disclosure procedure 
assigned for each individual by each individual has been 
13 registered; and a disclosure procedure executing section that 

fS receives a request for disclosing information on a specific 

m individual through the communication line network, executes an 

ly information disclosure procedure that matches an information 

]" disclosure procedure of the specific individual stored in the 

E disclosure procedure storing section, and transmits the 

^ information on the specific individual to the communication 

i line network toward the information requesting origin when the 

information disclosure procedure has been satisfied. 

The individual information managing device of the present 
invention stores in advance an information disclosure procedure 
assigned for each individual by each individual. In disclosing 
the information on a certain specific individual, this 
information is disclosed according to the information 
disclosure procedure that has been assigned in advance by this 
specific individual. Disclosure of the information against 
the will of this individual is prevented. Therefore, it is 
possible to prevent this individual from being subjected to 
unexpected disadvantages . 
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In the individual information managing device of the 
present invention, it is preferable that the individual 
information storing section is registered with each individual 
information that consists of a plurality of ranked pieces of 
information for each individual, based on the arrangement that 
each individual assigns a rank to each of the pieces of 
information that constitute the individual information from 
among a plurality of ranks, the disclosure procedure storing 
section is registered with an information disclosure procedure 
according to each rank assigned within each individual by each 
individual, and the disclosure procedure executing section 
receives a request for disclosing information on a specific 
individual, and executes an information disclosure procedure 
stored in the disclosure procedure storing section that matches 
an information disclosure procedure corresponding to a rank of 
the information on the specific individual of which disclosure 
request has been received. 

Individual information includes various levels of 
individual information relating to their information 
disclosure such as individual information of which disclosure 
does not give little problem, and subtle individual information 
that should be handled confidentially, like ethnic group, race, 
mental disorder, religion, etc- that are prescribed in the JISQ 
15001 . 

Therefore, as described above, the individual 
information for each individual is divided into a plurality of 
ranks. In disclosing the individual information, the 
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information is disclosed according to an information disclosure 
procedure corresponding to the information to be disclosed. 
Based on this arrangement, it is possible to balance between 
the protection and the disclosure of the individual information 
in further detail. 

The information disclosure procedure for each rank is 
assigned for each individual by each individual. Therefore, 
the disclosure of information at any rank without the intention 
of the individual can be prevented. In this case, the 
assignment of each rank to each individual information is up 
to each individual. Therefore, it is possible to protect each 
individual information based on the way of thinking of each 
individual and the environment . 

Further, in the individual information managing device 
of the present invention, it is preferable that the disclosure 
procedure storing section is registered with an information 
disclosure procedure at a normal time for each individual 
assigned by each individual, and an information disclosure 
procedure at an emergency time for each individual assigned by 
each individual, and the disclosure procedure executing section 
receives a request for disclosing information on a specific 
individual, with attached information for identifying a normal 
time and an emergency time, and executes an information 
disclosure procedure of the specific individual stored in the 
disclosure procedure storing section that matches the 
information disclosure procedure at a normal time or the 
information disclosure procedure at an emergency time. 
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depending on whether the disclosure request belongs to the 
normal time or the emergency time. 

At an emergency time, for example, when the individual 
has met an accident and is not in a position to be able to express 
intention of the information disclosure, it is not suitable to 
request an information disclosure procedure that is the same 
as that of the normal time. Therefore, it is preferable that 
the information disclosure procedure is divided into the one 
for a normal time and the other for an emergency time, and that, 
at an emergency time, the information disclosure procedure at 
an emergency time of each individual assigned in advance by each 
individual is followed. 

Further, in the individual information managing device 
of the present invention, it is preferable that the disclosure 
procedure storing section is registered with a posting 
procedure assigned by each individual for posting to an 
individual, as a part of an information disclosure procedure 
for each individual, and the disclosure procedure executing 
section has a disclosure request posting section that receives 
a request for disclosing information on a specific individual, 
posts to the specific individual that there has been a request 
for disclosing the individual information, in a posting 
procedure that matches the posting procedure to the specific 
individual stored in the disclosure procedure storing section, 
and receives an approval for the information disclosure from 
the individual who has received this posting, and the disclosure 
procedure executing section receives an approval for the 
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information disclosure from the disclosure request posting 
section, and further proceeds with the information disclosure 
procedure . 

As a part of the information disclosure procedure, this 
procedure includes a procedure that, when there has been a 
request for disclosing the information of a certain individual, 
the fact that there has been a request for disclosing the 
information of this individual is posted to this individual, 
and an approval for the information disclosure is obtained from 
this individual. Based on this arrangement, it is possible to 
avoid such a situation that the own information of an individual 
is disclosed while this individual is not aware of this fact. 

Further, in the individual information managing device 
of the present invention, it is preferable that the disclosure 
procedure storing section is registered with an authentication 
procedure assigned by each individual for authenticating each 
individual, as a part of an information disclosure procedure 
for each individual, and the disclosure procedure executing 
section has an authenticating section that receives a request 
for disclosing information on a specific individual, and 
authenticates the specific individual in an authentication 
procedure that matches the authentication procedure of the 
specific individual stored in the disclosure procedure storing 
section . 

In disclosing the individual information, it is 
preferable to obtain the approval for the information 
disclosure from this individual, and to confirm that the 
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approved person is the true individual, based on an 
authentication procedure. It is possible to reflect the 
intention of the individual into the authentication procedure 
along the authentication procedure assigned in advance by the 
individual . 

When both the disclosure request posting section and the 
authenticating section are provided, it is preferable that the 
authenticating section authenticates the specific individual 
in an authentication procedure that matches the authentication 
procedure of the specific individual stored in the disclosure 
procedure storing section, after the disclosure procedure 
executing section has received an approval for the information 
disclosure from the disclosure request posting section. 

Further, in the individual information managing device 
of the present invention, it is preferable that the disclosure 
procedure storing section can be freely registered with an 
authorized person to whom the right of proceeding with an 
information disclosure procedure on behalf of the individual 
has been transferred for each individual, and the disclosure 
procedure executing section receives a request for disclosing 
information on a specific individual, and executes an 
information disclosure procedure of the specific individual 
stored in the disclosure procedure storing section that matches 
the information disclosure procedure of an authorized person 
as a procedure for disclosing the information on the specific 
individual, when the disclosure procedure storing section has 
been registered with the authorized person to whom the right 
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of proceeding with the information disclosure procedure on 
behalf of the individual has been transferred. 

Based on the above arrangement, a person with parental 
authority over a child or a protector who looks after a person 
to be nursed can proceed with the procedure of disclosing the 
individual information of this cared person while protecting 
the individual information of this person, on behalf of this 
person . 

BRIEF DESCRIPTION OF THE DRAWINGS 

Fig. 1 is a schematic view showing one example of an 
individual information management and disclosure system that 
includes one embodiment of an individual information managing 
device of the present invention. 

Fig. 2 is a hardware structure diagram of the server 
machine shown in Fig . 1 . 

Fig. 3 is a functional block diagram showing one 
embodiment of the individual information managing device 
according to the present invention. 

Fig. 4 is a diagram showing an individual- information 
table that is registered in the individual information storing 
section. 

Fig. 5 is a diagram showing an example of an 
authentication data table. 

Fig. 6 is a diagram showing an example of an information 
disclosure procedure table. 

Fig. 7 is a diagram showing an example of a normal -time 



8 




authentication table . 

Fig. 8 is a diagram showing an example of an 
emergency- time authentication table. 

Fig. 9 is a diagram showing an example of a posting order 

table . 

Fig. 10 is a diagram showing an example of a right transfer 

table . 

Fig. 11 is a flowchart showing an information disclosure 
procedure in the server machine. 

Fig. 12 is a diagram showing a detailed flow of a process 
of posting an individual information disclosure request and a 
process of obtaining an approval for the disclosure shown at 
step S5 in Fig. 11. 

Fig. 13 is a diagram showing a detailed flow of an 
authentication procedure at a normal time at step S7 shown in 
Fig. 11. 

Fig. 14 is a diagram showing a detailed flow of step of 
a disclosure (step S10) in Fig. 11. 

DESCRIPTION OF THE PREFERRED EMBODIMENTS 
Embodiments of the present invention will be explained 

below. 

Fig. 1 is a schematic view showing one example of an 
individual information management and disclosure system that 
includes one embodiment of an individual information managing 
device of the present invention. 

This drawing shows one server machine 100 that 
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corresponds to the embodiment of the individual information 
managing device according to the present invention and two 
representative client machines 200 and 300 . They are connected 
to a communication line network 500. 

Out of the two client machines 200 and 300, one client 
machine 200 is a client machine at an information provider side. 
The other client machine 300 is a client machine at an 
information user side. While one client machine at the 
information provider side and one client machine at the 
information user side are shown here, they are shown as 
representatives. Usually, a large number of client machines 
at the information provider side and a large number of client 
machines at the information user side are connected to the 
communication line network 500. 

The client machine 200 at the information provider side 
is connected with a portable telephone 210. In other words, 
an electronic mail transmitted to the client machine 200 can 
be transferred to this portable telephone 210. Also, the 
portable telephone 210 can make access to this system via the 
client machine 200. In Fig. 1, an arrow mark may appear to 
indicate that the portable telephone 210 is directly connected 
to the client machine 200. However, this arrow mark only shows 
that the client machine 200 and the portable telephone 210 are 
connected to each other in the above -described meaning. In 
actual practice, they are connected to each other via the 
communication line network 500 including a radio communication 
line not shown. 
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The server machine 100 and the two client machines 200 
and 300 shown in Fig. 1 include: main body sections 101. 201, 
and 301 respectively, each incorporating a CPU. a main storage, 
a hard disk, a communication board, etc. ; display sections 102. 
202, and 302 respectively for displaying images and character 
strings on display screens 102a, 202a, and 302a based on 
instructions from the main body sections 101. 201. and 301 
respectively; keyboards 103. 203, and 303 respectively for 
inputting user instructions to the server machine 100 and the 
two client machines 200 and 300 respectively; and mice 104. 204. 
and 304 respectively for inputting instructions corresponding 
to icons displayed on the screen when an optional position has 
been assigned on the display screens 102a. 202a. and 302a 
respectively . 

The main body sections 101, 201, and 301 of the server 
machine 100 and the client machines 200 and 300 respectively 
further have FD loading openings 101a, 201a, and 301a for 
loading a floppy disk (FD), and CDROM loading openings 101b, 
201b. and 301b for loading a CDROM (an FD and a CDROM are not 
shown in Fig. 1: reference Fig. 2). Inside these loading 
openings , there are provided floppy disk drives and CDROM drives 
for driving the floppy disks and CDROMs inserted from the 
loading openings 101a, 201a, and 301a and 101b, 201b, and 301b 
respectively, to make access to the floppy disks and CDROMs. 
Further, the main body sections 101. 201. and 301 of the server 
machine 100 and the client machines 200 and 300 respectively 
are connected to the communication line network 500. 



11 




Further, the client machines 200 and 300 are connected 
with microphones 205 and 305 to input voice, and fingerprint 
readers 206 and 306 for reading fingerprint respectively. 

Further, the portable telephone 210 is connected to the 
client machine 200 at the information provider side, as 

described above. 

Fig. 2 is a hardware structure diagram of the server 
machine shown in Fig. 1. Each client machine has a hardware 
structure similar to that of the server machine, except that 
the microphone and the fingerprint reader are connected to the 
client machine. The hardware structure of the server machine 
will be explained with reference to the drawing. 

There are a central processing unit (CPU) 111, a RAM 112, 
a hard disk controller 113, an FD drive 114, a CDROM drive 115, 
a mouse controller 116, a keyboard controller 117, a display 
controller 118. and a communication board 119. They are 
connected to each other via a bus 110. 

The FD drive 114 and the CDROM drive 115 are loaded with 
a floppy disk 610 and a CDROM 620 , for making access to the floppy 
disk 610 and the CDROM 620 that have been loaded respectively, 
as explained with reference to Fig. 1. 

There are also shown here a hard disk 120 that is accessed 
by the hard disk controller 113 . the mouse 104 that is controlled 
by the mouse controller 116 , the keyboard 103 that is controlled 
by the keyboard controller 117, the display section 102 that 
is controlled by the display controller 118, and the 
communication line network 500 that is connected via the 
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communication board 119. 

The CDROM 620 stores an individual information management 
program for operating the server machine 100 shown in Fig. 1 
as one embodiment of the individual information managing device 
of the present invention. This individual information 
management program is read from the CDROM 620 by the CDROM drive 
115, and is then stored into the hard disk 120 by the hard disk 
controller 113 via the bus 110. In the actual execution, the 
individual information management program within the hard disk 
120 is loaded onto the RAM 112, and is executed by the CPU 111. 

Fig. 3 is a functional block diagram showing one 
embodiment of the individual information managing device 
according to the present invention. The individual 
information managing device shown in Fig. 3 is composed of a 
combination of the hardware of the server machine 100 shown in 
Fig. 1 and Fig. 2 and the individual information management 
program installed from the CDROM 620, and the accumulation of 
the individual information thereafter. 

The individual information managing device 700 shown in 
Fig. 3 consists of an individual information storing section 
710, a disclosure procedure storing section 720, and a 
disclosure procedure executing section 730. The disclosure 
procedure executing section 730 further includes a disclosure 
request posting section 731 and an authenticating section 732. 

The individual information storing section 710 is 
registered with information for each individual. 

Fig. 4 is a diagram showing an individual -information 
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table that is registered in the individual information storing 
section . 

Fig. 4 shows only a part of individual information for 
one person. The individual information storing section stores 
various individual information including a resident basic 
number, address, name, date of birth, sex. a care class, etc. 

The disclosure procedure storing section 7 20 shown in Fig. 
3 is registered with an information disclosure procedure for 
each individual assigned by each individual. 

Fig. 5 to Fig. 10 are diagrams showing examples of various 
kinds of tables that are necessary for executing the information 
disclosure procedure for each individual. 

Specifically. Fig. 5. Fig. 6. and Fig. 10 show an 

authentication data table, an information disclosure procedure 
table, a normal- time authentication table, an emergency- time 
authentication table, a posting order table, and a right 
transfer table, respectively. 

One authentication data table shown in Fig. 5 is prepared 
for each individual. This authentication data table is 
registered with various data including , for example, apassword, 
a fingerprint, a voiceprint. DNA, etc. that are necessary for 
authenticating each individual. This authentication data 
table is a kind of individual information, and these data may 
be included in the individual -information table shown in Fig. 
4. However, for the sake of the subsequent explanation, the 
authentication data table is prepared separately from the 
individual- information table. 
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One information disclosure procedure table shown in Fig. 
6 is prepared for each disclosure level of each individual. 
This information disclosure procedure table is registered with 
a disclosure level, disclosure items, and an authentication 
method. The disclosure level is classified into five ranks from 
1 to 5 in the present embodiment . As the rank number becomes 
larger, the level of secrecy becomes higher. The column of the 
disclosure items shows items of individual information 
corresponding to the disclosure level (the disclosure level 1 
in the example shown in Fig . 6 ) . The column of the 
authentication method is registered with an authentication 
method for disclosing the individual information of the 
disclosure level. However, in this case, this column is 
registered with a pointer that indicates the normal- time 
authentication table shown in Fig. 7 in which the authentication 
method has been registered. 

The information disclosure procedure table shown in Fig. 
6 is a table in which the information has been registered based 
on the idea of the individual while based on a guidance of a 
standard structure. In other words, what individual 
information is to be registered for the disclosure level 1 and 
what authentication method is to be used for disclosing the 
individual information of the disclosure level 1 are all up to 
the decision of the individual. 

The normal- time authentication table shown in Fig. 7 is 
also prepared for each disclosure level of each individual like 
the information disclosure procedure table shown in Fig. 6. 
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Each table is indicated with the pointer in the column of the 
authentication method in the information disclosure procedure 
table (reference Fig. 6) for each disclosure level of each 
individual. The normal- time authentication table for each 
disclosure level is registered with an authentication procedure 
for each disclosure level at a normal time of the individual. 

In the example shown in Fig. 7, it is meant that the 
disclosure of the items of individual information listed in the 
linked information disclosure procedure table (reference Fig. 
6) is permitted only when the password, the fingerprint and the 
voiceprint have coincided with the registered ones, at a normal 
time . 

One emergency- time authentication table shown in Fig. 8 
is prepared for each individual. This emergency- time 
authentication table is registered with an authentication 
method to be used when the individual cannot express the 
intention of disclosure/non-disclosure of the information like 
when the individual has become unconscious and also when the 
information on the individual has become urgently necessary. 
In the example shown in Fig. 8, it is meant that the disclosure 
of the information on the individual is permitted when any one 
of the fingerprint and the DNA of the individual has been 
confirmed, at an emergency time. The information of this 
emergency- time authentication table shown in Fig. 8 is also 
registered based on the intention of the individual . When the 
columns of this emergency- time authentication table have been 
blank or when only a password that cannot guarantee the 
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authentication of the individual has been registered, the 
information of this individual is not disclosed even when the 
life of this individual faces crisis, except when there is a 
legal prescription. A request for the disclosure of 
information at an emergency time is basically permitted to only 
limited persons like doctors in an assigned emergency hospital. 
In the present embodiment, when the authentication method 
registered in this emergency- time authentication table has been 
satisfied, all the information are disclosed according to the 
request. However, even at an emergency time, the information 
to be disclosed may be limited by arranging such that the 
information that is not urgently required and that is 
confidential like a criminal record and family origin, etc. is 
not disclosed. 

The posting order table shown in Fig. 9 is prepared for 
each individual, and this posting order table is registered with 
orders of posting methods for posting some information to this 
individual. Each individual registers the methods into this 
posting order table based on the intention of the individual. 
The example shown in Fig. 9 means that a posting is first made 
to a portable telephone. When it has not been possible to 
communicate with this portable telephone, a call is made to a 
separate telephone registered in this table. When it has not 
been possible to communicate with this telephone, a message is 
sent by an electronic mail. When there has been no reply even 
after a predetermined period of time (for example. 15 minutes) , 
a message is sent to an acting person 1. When it has not been 
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possible to communicate with the acting person 1, a message is 
sent to an acting person 2. A method of posting to the acting 
person 1 and the acting person 2 is based on posting order tables 
of the acting person 1 and the acting person 2 respectively that 
are similar to the posting order table shown in Fig. 9. However, 
even when the posting order table of the acting person is 
registered with further acting persons of this acting person, 
a message is not sent to these further acting persons of this 
acting person. 

The right transfer table shown in Fig. 10 is prepared for 
an individual who requires this table among the individuals . 

For example , when the individual is a child of a 
predetermined age or younger, this right transfer table is 
registered with a person with parental authority over this child . 
When the individual is a person who needs care and the care class 
of this person is at a predetermined level or above, a protector 
who looks after this person is registered in this right transfer 
table. 

The explanation will be continued referring back to Fig. 

3. 

The disclosure procedure executing section 730 basically 
carries out the following. The disclosure procedure executing 
section 730 receives a request for disclosing the information 
of a specific individual via the communication line network 500 , 
and executes an information disclosure procedure that matches 
the information disclosure procedure of this specific 
individual stored in the disclosure procedure storing section 
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720. When this information disclosure procedure has been 
satisfied, the disclosure procedure executing section 730 
extracts the information of this specific individual of which 
disclosure has been requested, from the individual information 
stored in the disclosure procedure storing section 710. Then, 
the disclosure procedure executing section 7 30 transmits the 
extracted information to the communication line network 500 
toward the request origin. Specifically, the disclosure 
procedure storing section 720 is registered with a posting 
procedure assigned by each individual for posting to an 
individual, and an authentication procedure assigned by each 
individual for authenticating each individual, as a part of an 
information disclosure procedure for each individual. The 
disclosure procedure executing section 7 30 receives a request 
for disclosing information on a specific individual. 
Basically, the disclosure request posting section 731 posts to 
the specific individual that there has been a request for 
disclosing the individual information, in a posting procedure 
that matches the posting procedure to the specific individual 
stored in the disclosure procedure storing section 720, and 
receives an approval for the information disclosure from the 
individual who has received this posting. Next, in the 
disclosure procedure executing section 730. the authenticating 
section 732 authenticates the specific individual in an 
authentication procedure that matches the authentication 
procedure of the specific individual stored in the disclosure 
procedure storing section 720. However, a message may be sent 
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to an acting person or a protector who looks after this specific 
individual, instead of sending the message to this specific 
individual, and the authentication may be obtained from this 
acting person or the person who looks after this individual. 
Details will be explained later. After correctly finishing 
this authentication procedure, the information of which 
disclosure has been requested is extracted, and this 
information is transmitted to the request origin. 

One example of the individual information disclosure 
procedure will be explained below. For the purpose of 
explanation, it is assumed that a patient having the client 
machine 200 shown in Fig. 1 at home carries the portable 
telephone 210 and visits a hospital that is installed with the 
client machine 300 to consult a doctor. 

Fig. 11 is a flowchart showing an information disclosure 
procedure in the server machine 100 shown in Fig. 2. 

A doctor at a hospital installed with the client machine 
300 shown in Fig. 1 operates the client machine 300 to request 
the server machine 100 to transmit information on the case 
history and the allergy of the visited patient, for the doctor 
to know this information. 

The server machine 100 receives the information 
disclosure request (step SI in Fig. 11), and makes a decision 
about whether this information disclosure request is a request 
for the disclosure of the individual information according the 
present embodiment or not (step S2). When the information 
disclosure request is the request for information irrelevant 
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to the individual information (for example, a guide on the 
government or a public organization), a processing that meets 
this characteristic of information is carried out (step S3). 

When a decision has been made at step S2 that the 
information disclosure request this time is the request for the 
disclosure of the individual information, a decision is made 
next about whether this disclosure request is urgent or not. 

When a decision has been made at step S4 that the 
information disclosure request is the request at a normal time, 
the process proceeds to step S5 . At step S5 , the server machine 
posts to the owner of this individual information, that is, the 
patient who has visited the hospital, that there has been the 
request for disclosing the individual information, and requests 
this individual (the patient) to approve the disclosure of the 
individual information. When the patient has not approved the 
disclosure, the individual information is not disclosed (step 
S6) , and this fact is posted to the disclosure request origin. 
Details of step S5 will be explained later. 

When the patient has approved the disclosure, the process 
proceeds to step S7, where the authentication procedure at a 
normal time is carried out. Details of this authentication 
procedure at a normal time will be also explained later. 

When a decision has been made at step S4 that the 
information disclosure request is urgent, the authentication 
procedure at an emergency time is carried out (step S8 ) . 
Details of this authentication procedure at an emergency time 
will also be explained later. 
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When the authentication has been carried out correctly 
in the authentication procedure at step S7 or step S8 (step S9 ) . 
the requested individual information of this individual (the 
patient) is disclosed to the request origin (the client machine 
300) (step S10). On the other hand, when the authentication 
has been unsuccessful, the disclosure is not carried out (step 
S6), and this fact is posted to the request origin. 

Fig . 12 is a diagram showing a detailed flow of the process 
of posting an individual information disclosure request and the 
process of obtaining an approval for the disclosure shown at 

step S5 in Fig. 11. 

First, a decision is made about whether the individual 
as the owner of the information of which disclosure request has 
been received is under the protection of other individual or 

not (step S51) . 

In this case, the individual- information table 
(reference Fig. 4) of the individual (the patient) as the owner 
of the information of which disclosure request has been received 
is referred to . When this individual ( the patient ) is a child 
of a predetermined age or younger, or when the individual is 
a severely handicapped person whose care class is at a high level, 
a person who looks after this individual is responsible for the 
disclosure of the individual information. In this case, the 
right transfer table (reference Fig. 10) of this individual is 
referred to. Then, the fact that there has been the request 
for the disclosure of the information of this individual is 
posted to the protector to whom the right of the disclosure of 
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the information of this individual has been transferred (step 
S57) . 

When the individual is a normal adult who does not require 
such a protection, the fact that there has been the request for 
the disclosure of the information of this individual is posted 
to this person ( step S52 ) . In posting the message to this person , 
the posting order table of this person is referred to. In the 
example shown in Fig. 9, first, the fact that there has been 
the request for the disclosure of the information of this 
individual is posted to the portable telephone. When there has 
been no response from the portable telephone, a posting based 
on the next step is tried according to the posting order table. 

In this case, the patient as the individual who receives 
this posting has visited the hospital with the portable 
telephone in hand. Therefore, the portable telephone of this 
patient receives a call, and the fact there has been the request 
for the disclosure of the information of this individual is 
posted in automatic voice. Then, the patient manipulates the 
buttons of the portable telephone or gives voice to make a 
response to express the intention of the patient that the 
patient approves or does not approve the disclosure of the 
information . 

When the server machine 100 (reference Fig. 1) has 
received a posting from this patient that the patient approves 
the disclosure, the process proceeds to the authentication 
procedure at a normal time at the next step S7 ( reference Fig . 11 ) . 
On the other hand, when the server machine 100 has received a 
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posting from this patient that the patient does not approve the 
disclosure, the process proceeds to step S6 ( reference Fig . 11), 
and a message that the disclosure is not carried out is posted 
to the client machine 300. 

When there has been no response from the individual after 
the server machine has tried to communicate with this individual 
through the portable telephone, another telephone, and the 
electronic mail according to the posting order table shown in 
Fig. 9, the process proceeds to step S54. At step S54, a 
decision is made about whether an acting person has been 
registered in this posting order table or not. When an acting 
person has been registered, a posting to this acting person is 
tried (step S55) . The posting to this acting person is carried 
out according to the posting order table registered by this 
acting person . However , as described above # even when an acting 
person of this acting person has been registered in the posting 
order table of this acting person, a posting is not carried to 
the acting person of this acting person. 

When a posting of the approval for the disclosure of the 
information has come from this acting person as a result of the 
trial of posting to this acting person of the individual, the 
process proceeds to step S7. In this case, an authentication 
procedure is carried out to the acting person who has approved 
the information disclosure. When a response of no approval for 
the information disclosure has come from this acting person, 
or when there has been no response from this acting person (or 
from none of the acting persons in the case of a plurality of 
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acting persons), the process proceeds to step S6. and the 
information is not disclosed. 

When a decision has been made at step S51 that the 
individual is under the protection of other individual and the 
process has proceeded to step S57 , a posting is carried out to 
the protector who looks after this individual according to the 
posting order table of this protector. In this case, even when 
an acting person has been registered in the posting order table 
of this protector, a posting is not carried out to this acting 
person . 

When a response of the approval for the information 
disclosure has been received from this protector as a result 
of posting to this protector (step S57), the process proceeds 
to step S7. In this case, the authentication procedure at a 
normal time is carried out to this protector . On the other hand , 
when a response of no approval for the disclosure has been 
received from this protector or when there has been no response 
from this protector, the process proceeds to step S6 , and the 
information is not disclosed. 

Fig. 13 is a diagram showing a detailed flow of the 
authentication procedure at a normal time at step S7 shown in 
Fig. 11. 

The information disclosure table (reference Fig. 6) of 
the individual (the patient) who has received the information 
disclosure request is referred to. Then, it is confirmed at 
what disclosure level the disclosure-requested information has 
been assigned to (step S71). 
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Next, the normal- time authentication table (reference 
Fig. 7 ) corresponding to the disclosure level of this individual 
(the patient) is referred to. In this case, when the 
authentication procedure is carried out to the acting person 
or the protector in place of the individual, the normal -time 
authentication table of this acting person or the protector 
corresponding to this disclosure level is referred to. In this 
example, the explanation will be continued based on the 
assumption that the authentication procedure of the individual 
is carried out. 

In the example shown in Fig. 7, it has been registered 
that the authentication is carried out based on the "password" , 
the "fingerprint", and the "voiceprint " . In this case, the 
server machine 100 requests the client machine 300 to input the 
password, the fingerprint, and the voiceprint registered in 
this table. The patient who has visited this hospital inputs 
the own password from the keyboard of the client machine 300, 
applies the own fingers on the fingerprint reader 360 to make 
it read the fingerprint, and further gives voice to the 
microphone 305 to input the voiceprint. Then, the password, 
the fingerprint, and the voiceprint are transmitted to the 
server machine 100 shown in Fig. 1. The server machine 100 
compares the password, the fingerprint, and the voiceprint that 
have been transmitted with the password, the fingerprint, and 
the voiceprint registered in the authentication data table 
(reference Fig. 5) of the individual (the patient) respectively, 
to decide whether they coincide with each other or not . 
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When it has been decided that the password, the 
fingerprint , and the voiceprint that have been transmitted from 
the client machine 300 belong to the individual, the 
authentication becomes OK. When a decision has been made that 
any one of the password, the fingerprint, and the voiceprint 
does not belong to the individual or is unknown, the 
authentication becomes NG. At step S9 in Fig. 11, a decision 
is made about whether this authentication is OK or NG. 

3 Fig. 14 is a diagram showing a detailed flow of step of 

2 the disclosure (step S10) in Fig. 11. 

2 The individual- information table (reference Fig. 4) of 

{; this individual (the patient) is referred to, and the 

^ disclosure-requested information is extracted (step S101) . In 

i the present embodiment, false information is generated for some 

^ information of which disclosure has not been requested, and this 

□ false information is added to the information extracted from 

the individual- information table (step S102). Thus, the 
individual information that partly includes the false 
information is transmitted to the client machine 300 as the 
request origin (step S103). 

As the client machine 300 knows what information the 
client machine 300 has requested for the disclosure, the client 
machine 300 can extract only correct information from the 
received information that includes the false information. 
When a human being like the doctor who has operated the client 
machine 300 tries to discriminate between the correct 
information and the false information, there is a risk that an 
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unexpected error occurs. Therefore, it is preferable that the 
client machine 300 stores a record about what information the 
client machine 300 has requested for the disclosure, extracts 
only the information of which disclosure has been requested from 
among the information received from the server machine 100. and 
presents only the correct information to the doctor. Based on 
the inclusion of the false information as a part of the 
information, a malicious third person who steals the individual 
information in the course of the transmission of the information 
from the server machine 100 to the client machine 300 cannot 
discriminate between the correct information and the false 
information. As a result, it is possible to protect the 
individual information. 

The authentication procedure at an emergency time at step 
S8 shown in Fig. 11 is carried out, for example, when a patient 
has become unconscious and has been brought to the hospital. 

This hospital has been registered in advance in the server 
machine 100 as the hospital that performs an emergency medical 
care. When a special password is input to the client machine 
300 installed in this hospital and then the client machine 300 
is operated, the server machine 100 can handle the information 
disclosure request from this client machine 300 as the case of 
high urgency. 

At step S8, the authentication procedure of this case is 
carried out. At this step, the emergency- time authentication 
table (reference Fig. 8) of this individual (the patient) is 
referred to . 
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In the example shown in Fig. 8, the individual has 
registered in advance that the authentication is carried out 
based on the fingerprint or the DNA. The server machine 100 
requests the client machine 300 to transmit the fingerprint or 
the DNA data. The client machine 300 collects the fingerprint 
of the brought-in patient with the fingerprint reader 306 , and 
transmits this fingerprint to the server machine 100. When the 
fingers have been disconnected by accident, for example, and 
it is not possible to use the fingerprint, the DNA analysis is 
carried out, and this result is input to the client machine 300, 
and is then transmitted to the server machine 100. 

The server machine 100 refers to the authentication data 
table for this individual (the patient), and makes a decision 
about whether the transmitted fingerprint is the fingerprint 
of this individual or not. When the DNA analysis result has 
been transmitted alternately, the server machine 100 makes a 
decision about whether this DNA is the DNA of this individual 
or not. In this authentication procedure at an emergency time 
(step S8) , when it has been confirmed that any one of the items 
stored in this emergency- time authentication table (reference 
Fig. 8) belongs to this individual, the authentication becomes 
OK. 

When the authentication has become OK or the 
authentication has become NG in the authentication procedure 
at an emergency time at step S8 , the subsequent procedure is 
similar to that after the authentication has become OK or the 
authentication has become NG in the authentication procedure 




at a normal time at step S7. 

While the explanation has been omitted in the above, the 
communications between the server machine 100 and the client 
machines 200 and 300 in the system shown in Fig. 1 are carried 
out in the encrypted format, and the decryption is made at the 
received side. The encryption and the decryption are carried 
out based on the existing techniques. 

As explained above, according to the present invention, 
it is possible to effectively protect the individual 
information and to effectively utilize the individual 
information . 
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